How do I secure the Events Service and related Platform components (v4.4.3+)?

Securing your Events Service, especially when hosting your Events Service nodes in a shared environment, adds a extra layer of encryption around traffic sent to, from, and within your Events Service cluster. This traffic can include IP addresses, infrastructure-related details, event data, and credit card information. Follow the steps below to encrypt your Events Service and related platform components.

General Notes

If all Events Service nodes in the Events Service cluster are not started simultaneously, communication attempts made between the nodes will timeout and prevent the Events Service from starting on any of the nodes.

Load Balance Events Service Traffic (Secured using Nginx LB)

To distribute load among the members of an Events Service cluster, you need to set up a load balancer. It is important to complete this step before securing your Events Service.

Note: The following example is just one method that can be used to load balance the Events Service cluster’s traffic. These instructions are for a Linux-based host. Additional examples and information on load balancer configurations are available here.

1. Edit the /etc/hosts file from the Load Balancer running Nginx, as well as from each of the nodes.

2. Assuming the Nginx package and associated dependencies have been successfully installed using the instructions in step 1 here, see the sample configuration file below used for load balancing the cluster’s traffic.

The Enterprise Console was used to deploy a 3-node cluster using the default REST API value TCP port 9080 for traffic from the Events Service load balancer to each of the Events Service nodes.

Secured communication for the Events Service load balancer and to each of the Events Service nodes will take place over TCP port 9443.

You cannot update the REST API port after deploying an Events Service cluster from within the Enterprise Console GUI. The only solution to update the port value for an existing Events Service deployment is to manually update the REST API port in the Enterprise Console database.

You cannot enable SSL for the Events Service cluster using the Enterprise Console without using the Enterprise Console CLI.

Steps:

1. Update the REST API port from TCP port 9080 to TCP port 9443.(Note: Please back up your original database before completing these steps.)

Select the latest configured eventsServiceRestApiPort and verify the id and port value.

Using the parameters allowed, specify the path to your keystore, the password for the keystore, and the alias configured for this keystore. Also verify that the keystore exists at the specified path before executing the command.

After successfully running the above command, Segment 1 of your Platform should be secured using the keystore specified above.

Troubleshooting Common Issues:

The Events Service health check may return the following unhealthy status if the property ad.dw.http.host within the events-service-api-store.properties file does not match the value specified in the certificates CN. For example, the error below was generated because the events-service-api-store.properties file for each of the nodes was configured to ad.dw.http.host=0.0.0.0

Securing Segment 4: EUM Server --> Events Service Load Balancer

Note: If Analytics is enabled in the EUM Server’s properties file (ex: analytics.enabled=true) and the EUM Server cannot reach the Events Service, the EUM Server will fail to start.

1. The acquired server certificate must be trusted by the client. For self signed certificates and certificates with a private root CA, additional actions are required to create the trust. When using a self signed certificate, export the certificate from the keystore.

4. Connect the EUM Server to the Events Service following the steps outlined in End User Monitoring Connection Settings. When set correctly, these properties tell the EUM Server’s appserver what setting to use when connecting to the Events Service. These are the relevant properties from eum.properties file: